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Abstract 

Software development for NASA missions is a 
particularly challenging task. Missions are extremely 
ambitious scientifically, have very strict time frames, and 
must be accomplished with a maximum degree of 
reliability. Verification technologies must therefore be 
pushed far beyond their current capabilities . Moreover, 
reuse and adaptation of software architectures and 
components must be incorporated in software 

development within and across missions. This paper 
discusses .VA5A applications that we are currently 
investigating from these perspectives. 

1. Introduction 

The challenges that NASA faces in software 
development are untypical of most organizations. 
Preparation for a single NASA mission may incur billions 
of dollars, which makes loss of a mission a very serious 
matter. Launch windows are often inflexible. For example 
Mars missions may only be launched every 26 months, for 
planets to be in specific favorable positions. Failing to 
prepare such a mission on time is equivalent to loss of 
mission. There is therefore, often, a very strict “time to 
market”. These reasons make the organization particularly 
sensitive to issues of reliability, and conservative in 
accepting new technologies that cannot be verified 
adequately. 

As extremely ambitious projects are aimed for by 
NASA, software plays a greater role in its missions. For 
example, compared to the 32,000 lines of code required 
for the Cassini space craft, the International Space Station 
contains 2 million lines of code operating on 52 
computers. Such software is typically developed by 
distributed interdisciplinary teams of contractors and 
NASA engineers. Information and knowledge about 
software process and products must be exchanged across 
organizational boundaries inside and outside of NASA. As 
a result, component integration is a critical issue that has 
to be addressed and verified at all phases of software 
development. 


The current trend within NASA is toward more- 
frequent lower-cost missions. Even when missions have 
different objectives, there are a lot of common decisions 
made during mission planning and design. Therefore, to 
achieve the required quality within limited mission 
budgets and time frames, NASA must develop software 
architectures that can be reused across missions and 
components that can be adapted to specific mission 
requirements. 

In what follows, we outline a number of NASA 
application areas in which we conduct research related to 
component architectures, integration, and verification. 

2. NASA Applications 

This section provides an overview of challenging 
application areas we are investigating, of research issues 
they involve, and of targeted technologies. 

2.1 Autonomous Architectures 

Autonomous software systems pose new challenges to 
software verification. They involve complex concurrent 
behaviors for reacting to external stimuli and possibly 
unpredictable environments without human intervention. 
Such an example is software for Rovers for Mars 
missions. In the past, a Rover would receive from ground 
plans corresponding to fully deterministic/intlexible 
executions of the Rover. In future missions, these plans 
will allow an increasing degree of flexibility. The Rover 
will be able to make behavioral decisions based on 
environmental or timing conditions. This results in a huge 
number of possible executions that would need to be 
thoroughly verified to avoid loss of time, resources, or 
even loss of mission. 

Extensive verification and validation are therefore pre- 
requisites for the deployment of missions that involve 
autonomous systems. For such complex systems, however, 
traditional testing techniques have proven insufficient in 
providing the desired degree of correctness guarantees. 
For example, despite extensive testing, the Remote Agent, 


suppurt the verification of IMA architectures and 
applications running on IMA. Initial investigations with 
DUOS, a microkernel -based real-time operating system 
used in Honeywell’s Primus Epic avionics product line, 
have shown that model-checking can be effective in 
verifying critical properties of these architectures [9|. 
However, more research is needed to scale the technology 
to full-size IMA systems and to address independent 
certification of IMA applications [ 10|. 

The cost-saving promises of independent certification 
and reuse-based certification are attractive elements of the 
IMA approach. However, it is well known that, except in 
the most controlled environments, software reuse quickly 
becomes an ad-hoc process with unpredictable results. To 
address this issue, we are developing component-based 
application generation technology, which produces a 
certification argument during the generation process. This 
work is an extension of previous work that uses automated 
theorem proving technology to generate software from 
subroutine libraries along with explanations of how the 
software was derived [II, 12]. The approach we are 
investigating is to use formal specifications to represent 
both the generic behavior of the reusable components as 
well as adaptation and configuration techniques that are 
used to integrate the component into the generated 
application. It is our hypothesis that separating the 
specification of component function from interaction will 
provide a more effective framework for constructing 
certification arguments. 

2.3 Component-Based Scientific Programming 

Data analysis and visualization are major activities 
required for the support of NASA science missions. 
Numerous software toolkits and libraries are available to 
support the construction of custom data analysis and 
visualization applications. However, due to differences in 
data formats and system implementation styles, using 
these systems often requires space scientists to perform 
extensive custom programming that is time-consuming, 
expensive and not reusable between missions. In addition, 
current approaches to developing scientific software do 
not scale well. Scientific software is commonly developed 
from prototype systems and is evolved through 
experimentation. As the software is expanded and 
generalized, it becomes difficult to modify and maintain 
due to this ad-hoc development style. Because scientific 
problems are becoming larger and more complex, these 
software-engineering issues are unavoidable. 

To address these problems, there has been a recent 
movement toward component-based software 
development for scientific programming. Increased 
reliability is the primary benefit of a component-based 
approach from the perspective of scientific applications, 
because unreliable software leads to unreliable scientific 


results f 1 3 1 . In addition, it simplifies component 
integration and can address the scalability and 
maintainability problems of scientific applications. 

To support the use of component-based software for 
web-based data analysis applications, we are integrating 
component-based application generation technology into a 
middleware infrastructure [14J. Using this infrastructure, 
scientists will provide a specification of three kinds of 
components: (l) the desired data source. (2) a data 
analysis filter, and (3) a visualization device. From this 
information, the desired application will be generated 
automatically. To provide this automated capability, the 
infrastructure contains an intelligent component 
integration system (iCIS) that automates component 
retrieval, adaptation, and integration using automated 
reasoning [15-17]. It takes the user’s request, locates the 
corresponding components in a heterogeneous and 
distributed environment, and uses component interface 
specification and data archive meta-data to automatically 
generate any adapters required for component integration. 
Thus, the need for time-consuming and expensive custom 
programming will be reduced. 

3. Discussion 

The research projects that we have described in this 
paper are at very early stages. We are still trying to 
capture the complexity of the problems they involve, let 
alone solve those problems. 

Modularity can pay off during all phases of system 
development. Tt is the most promising factor in scaling 
system verification; it can make systems more flexible, in 
that it facilitates replacing components or plugging in new 
ones. To achieve it is, however, far from straightforward. 

It requires careful design of a system as early as at the 
architecture stage. 

One of the issues we need to address within this 
context is to provide support for checking systems or their 
components in isolation. This requires providing 
appropriate environments or contexts for them. A 
common factor in the applications that we have described 
is that the environments in which they operate are 
complex and unpredictable, so that it becomes very 
difficult to provide any type of constraints for their 
possible behaviors. Moreover, the complex relationships 
that exist between the components in these systems make 
it difficult to construct context/environment models that 
can be used to verify non-trivial properties 
compositionally. 

An additional issue has to do with defining component 
interfaces and checking their compatibility, but for 
information that involves behavioral, rather than simply 
syntactic aspects. However, the type, degree of detail, and 
form that this information must take to support tractable 


verification of properties of practical interest is an open 
research issue. 

T here remains a lot of work to be done towards 
developing good software engineering principles in 
general. Given the particular nature and complexity of the 
problems we are faced with, we are first working toward 
domain-specific solutions as a more realistic goal. We 
anticipate that architectures for our target applications will 
gradually evolve to provide some verifiable guarantees 
about domain-specific requirements. 

Ultimately, we would like to be able to advise 
engineers about how to design and structure their systems 
for verifiability. The need for a maximum degree of 
reliability in NASA missions would justify adapting the 
software and systems developed to the rules that the need 
for verifiability might provide. As the architectures and 
tools mature, it may be possible to use domain-specific 
application generation technology to support reuse of 
these verified architectures. 
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